ProtonVPN Wireguard DNS

Started by not_the_messiah, February 19, 2024, 05:47:51 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
April 15, 2024, 05:17:43 PM #15 Last Edit: April 15, 2024, 05:19:20 PM by gspannu
Quote from: jlficken on April 05, 2024, 02:17:46 AM
I got it working!!!!

It involves setting up the WG tunnels correctly and a Port Forward rule, however, it's working beautify and only my devices.

WireGuard Instance Config:


Gateway Config Overview:


Gateway Config Detail:


Aliases:


Port Forward Rule:


Cannot see your attached images...

Would you mind reposting and writing up a small tutorial?

It has been an absolute struggle to get a WG connection to an external VPN.

Most of the guides on internet are outdated and refer to the WG-go version.

Thanks...
April 15, 2024, 10:25:46 PM #16
Try the images in my original post now as I moved to a new image hosting option.
April 18, 2024, 11:30:34 PM #17
Quote from: jlficken on April 15, 2024, 10:25:46 PM
Try the images in my original post now as I moved to a new image hosting option.

Thanks, the images are showing now...
July 15, 2024, 11:35:34 AM #18
@jlficken noticed you've strayed away from using the tunnel IP that protonvpn documents (10.2.0.2/32)
considering the explanations here: https://protonvpn.com/support/wireguard-privacy/

do you know why your configuration is working with differing tunnel IPs?
July 15, 2024, 07:58:52 PM #19
@umbramalison

I have 3 tunnels running for a Gateway Group and you can't have 3 WireGuard instances running with the same Tunnel Address so that's why I had to change them.
July 16, 2024, 12:25:14 AM #20
@jlficken,  I'm also trying to get multiple tunnels working, and I also thought I had it working by simply using a different tunnel IP like you describe.

But I don't understand how that would work, as I believe the tunnel IP needs to be configured the same from both sides, and proton VPN seem almost consistent in that the tunnel IP has to be 10.2.0.2/32 and they cite that this is to better protect users. 
Almost consistent, because they did at least once post on reddit suggesting 10.2.0.2/28...

There are guides, online for solving this another way and that is to NAT each tunnel, allowing then for each tunnel IP to be identical on the external side, but internally the IP and GW are mapped to unique IPs. An extra NAT is yet more port forward configuration tho.
such as this guide https://old.reddit.com/r/ProtonVPN/comments/127zpbe/protonvpn_wireguard_multiconnection_on_pfsense/

coming back to your solution, and it seemed like it worked for me too, i'm left thinking why? what am i missing, maybe it's not working the way I think and it's actually very broken like this.

If you know why changing the tunnel IP works, or where this is documented, that would be super.
July 16, 2024, 12:43:59 AM #21
Yeah I have no idea why it works. I just know that it does.
July 16, 2024, 02:07:40 AM #22
@umbramalison

In looking at this I kind of wonder if the IP used on the WireGuard Instance doesn't matter at all since Proton reassigns it when you connect?

https://web.archive.org/web/20240222160434/https://protonvpn.com/support/wireguard-privacy/
July 16, 2024, 02:16:04 PM #23
@jlficken i spoke to proton vpn chat today about this,

here is what I was told:

QuoteYou can indeed change the tunnel IP to 10.3.0.2 to get another connection.
You should be able to put any number at 10._.0..., but keep in mind that you will have to generate a unique certificate for each connection.

I was told it's not mentioned on the web pages because it's a complicated setup. Well no where near as complicated as those guides that I was looking at which add NAT and virtual IP's etc etc...!

I suspect the bit about the certificate would be specific to OpenVPN.
July 17, 2024, 10:06:33 PM #24
@umbramalison, I agree this sounds simpler. In case you wanted to give a try to a setup with NAT rules and virtual ips, you can check my working configuration here: https://forum.opnsense.org/index.php?topic=41534.msg203864#msg203864.

More complicated, but highly educational IMO :)
July 18, 2024, 08:39:02 PM #25
As a side note you may want to check the Status page under VPN --> WireGuard to make sure the tunnels are actually working as even though the Gateway was showing as being "Up" the tunnel wasn't actually working as there wasn't a value for the Handshake, Send, or Received columns I figured out.

I was wondering why pages going out over the tunnels would sometimes load and sometimes wouldn't and that's why.

After changing to different servers they're all up and passing traffic now.
January 09, 2025, 05:58:37 AM #26 Last Edit: January 09, 2025, 06:01:09 AM by frozen
I'm here for the same reason..  This is an absolute nightmare.  The documentation is one of the worst things of all, the guide just totally is ignorant to the needs of the user at the bottom of it

The tunnels are established, and I can assign a client to the alias which will then browse through the tunnel with no problems.  A 'curl ip.me' check shows the VPN IP..  But I can't solve the leaking DNS problem

Print
Go Up Pages 1 2
User actions